Since the introduction of the Sarbanes-Oxley legislation, plan sponsor's must exercise control procedures over pensions. Jeffrey D. Mamorsky, Senior Partner at Greenberg Traurig, LLP explains what we must do to safeguard the future of our pension plans.
We all live in a 'global pension world'. We all share common challenges and concerns of great importance in ensuring the security and continued viability of our pension systems. The stakes are huge. For example, it's a reality that pension fund assets, in many cases, exceed a plan sponsor's market capitalisation.
However, the glue that binds us all together is the need for 'best practice' pension governance standards to prevent the horror stories that have been happening all over the world.
PENSION PLAN PROBLEMS
They started of course, in the USA with Enron, Worldcom and other scandals that led us to the Sarbanes-Oxley legislation (SOX) and the new emphasis on the establishment of internal control procedures on all material items in the financial report including pensions.
It was then followed by the mutual fund scandals and insurance probes by the Securities and Exchange Commission (SEC) and state attorney generals. And now recently we have been confronted with transparency issues such as hidden and bundled service provider expenses and self-dealing conflict of interests that sometimes exist with plan vendors.
All this happened in the USA despite the fact that the federal pension law, the Employee Retirement Income Security Act of 1974 (ERISA), contains rules that require plan sponsors to establish internal control procedures to monitor compliance with the fiduciary responsibility requirements of ERISA.
These rules were in some cases not followed since there were few real teeth in the law. It took SOX with its draconian certification penalties and ERISA's 'white collar' criminal penalty provisions to make plan sponsors take pension governance more seriously.
The same thing has happened in the UK with new pension legislation and the introduction of a Pension Regulator and EU Directive on Pension Governance.
There has truly been a cultural change of monumental proportions all over the world. At the core of this sea change has been the legislation and regulatory imposition of heightened fiduciary responsibilities of employers and trustees in both the USA and non-USA pension jurisdictions and the recognition of the importance of comprehensive and effective plan fiduciary control procedures.
This article examines these heightened fiduciary responsibilities both in the USA and UK that may be a harbinger of things to come in other pension jurisdictions who may similarly conclude that the private sectors (trustees and employer plan sponsors) need to self-police our pension system in order for it to survive.
USA PENSION PLAN ENVIRONMENT - SOX CERTIFICATION
USA fiduciary liability has exploded as the result of accounting abuses, mutual fund market timing scandals, hidden investment expense fees, expanding fiduciary litigation, governmental investigations and the alleged 'gaming' of pension actuarial assumptions to lower plan contributions and increase benefits.
Employer sponsors and other plan fiduciaries now recognise that enormous personal liability comes with the responsibility of being a fiduciary governed by the strict requirements of ERISA.
This liability has increased as the result of legislation such as SOX that requires a public company CEO, CFO or other responsible fiduciary to certify the establishment and adequacy of 'disclosure controls and procedures' relating to material items in the annual financial report.
What companies sometimes overlook is that this SOX section 404 management assessment of the adequacy of internal control procedures requirement applies to pension and benefit expenses.
This is an issue that cannot be overlooked since SOX includes draconian sanctions of $2m and up to ten years' imprisonment for non-wilful ($5m / up to 20 years' imprisonment for wilful) certification of any statement that does not comply with SOX requirements.
ERISA WHITE COLLAR CRIME PENALTY PROVISIONS
SOX also applies to private companies since it adds new ERISA white collar criminal penalty provisions that impose sanctions on employer plan sponsors and plan fiduciaries for wilful violations of ERISA's financial statement and other reporting and disclosure requirements.
This could occur in the case of a certified financial statement of a pension, 401(k) or other retirement plan where the auditor now requires employer plan sponsors to represent that the plan is operated pursuant to its terms and applicable law.
This representation, which appears as a footnote in every plan's financial statement, is likely to be inaccurate in the absence of the establishment of internal control procedures that enable the employer plan sponsor to identify inconsistencies between administration, plan provisions and IRS qualification requirements.
The problem is that this is rarely the case since although pension lawyers may draft perfect plan documents and obtain a determination letter from IRS, the document rarely accurately depicts all aspects of plan administration which may also be incorrect.
The importance of this issue has been recently addressed by the AICPA with the issuance of 'SAS No.99 - Consideration of Fraud in a Financial Statement Audit' that concludes that the lack of internal control procedures for establishing and monitoring an employer's financial statement representations may result in a material representation and possibly fraud.
In this regard, the AICPA recommends the engagement of a specialist to perform an independent review to ascertain the adequacy of internal control procedures.
The SOX enhanced ERISA white collar crime penalty provisions imposes a $500,000 sanction (and $100,000 per responsible individual) and up to ten years' imprisonment for wilful violations of ERISA's financial statements and other reporting and disclosure requirements.
Misrepresentation of operational compliance with plan document and IRS qualification requirements in a qualified plan financial statement in the absence of internal control procedures that verify compliance may be considered 'wilful' behaviour resulting in the impositions of such sanctions.
IRS EMPLOYEE PLANS EXAMINATION PROGRAM
Under the IRS employee plans Closing Agreement Program (CAP) the IRS may impose monetary sanctions on employers for failure to operate retirement plans in accordance with IRS qualification requirements and for failure to follow the terms of the plan documents even if plan operation is within compliance with IRS qualification requirements.
The IRS EPCRS Program requires employers to establish self-audit internal control procedures to qualify for self-correction and mitigate the amount of IRS monetary sanctions.
Sanctions may be imposed by the IRS on audit even if failures are unintentional discrepancies between plan operation and plan documents that result in no harm to plan participants.
The amount of sanctions can be draconian since the maximum payment amount is the total amount of tax that would apply if the plan were disqualified. For example, the starting point for negotiations with the IRS on the amount of the sanction is often 20% of plan assets.
If an IRS auditor identifies any defects in the plan's operational compliance with the qualification requirements of the internal revenue code, the auditor will require retroactive correction of the defects and ask the employer and other 'responsible fiduciaries' to make a CAP monetary sanction non-deductible payment to the IRS, the amount of which is generally based on the total amount of tax that would be imposed on the contributing employers, trust and participants if the plan were disqualified.
In many instances this can be a substantial amount (possibly millions of dollars). The IRS has already concluded over thousands of CAP audits and has imposed monetary sanctions as high as $10m in the case of a large multi-employer plan for failure to comply operationally with the code's qualification requirements. Hundreds of additional cases are currently being negotiated with IRS under the CAP program.
The issues identified by the IRS on audit rarely constitute intentional or blatant violations of the code's qualification requirements. The majority of the problems appear to involve errors, which often occur in the administration of qualified plans and are of the type that can easily be discovered on an audit by IRS.
For example, in one case the trustees of a large collectively bargained benefit plan paid in excess of $5m in CAP monetary sanctions plus the cost of correction of various service crediting violations which resulted in vesting and benefit accrual violations.
The service-crediting problem was caused by the failure of the employers and plan administrator to maintain a system to track 'covered employment' (employment covered under the terms of the collectively bargained agreement) in an industry in which union shops went in and out of business frequently and there was no system in place to keep track of union members as they moved from one shop to another or from employment status to unemployment status and vice versa.
In another case, a large collectively bargained defined benefit plan did not track service properly and as a result, a large number of employees did not receive service credit under the plan.
Moreover, as a result of a failure to adjust employer contributions rates, the plan became vastly overfunded. This resulted in the assessment and collection of a multi-million dollar CAP monetary sanction upon audit by IRS.
There is also a new IRS audit initiative targeting 'large' retirement plans with 2,500 or more participants. This large retirement plan audit initiative is different in size, scope and intensity than previous audits of qualified plans.
An IRS audit team typically consists of 6-8 professionals (including a revenue agent, benefits and computer audit specialists, benefits attorney and actuary). The typical large plan IRS audit exam is expected to last 200-300 staff days. Large multi-employer plans and other risk profilers are specifically targeted.
Also, there has been a change in focus of the IRS audit initiative. Under the new IRS employee plans 'focused audit' program, the IRS has modified their auditing procedures to focus on whether the trustees have established internal controls to ensure that the plan is operationally compliant with the plan document and code requirements. If the IRS auditor is satisfied that such internal controls are in place, the plan examination may be limited and/or curtailed.
DOL VFC PROGRAM AND PLAN EXPENSE AUDIT INITIATIVE
The Department of Labor (DOL) has also established a program that enables plan sponsor employers to mitigate (and in some cases eliminate) the imposition of sanctions on the employer and other responsible fiduciaries.
The DOL Voluntary Fiduciary Correction (VFC) program enables ERISA fiduciaries to identify and correct prohibited transactions and other ERISA violations before an audit by DOL.
Such self-correction is important since ERISA Section 502(l) imposes a civil penalty of 20% of the amount recovered in the case of a breach of fiduciary responsibility including the requirement to administer the plan in accordance with the documents and instruments governing the plan and the requirements of ERISA.
Similar to the IRS EPCRS program, the DOL VFC program is conditioned upon the establishment of self-audit internal control procedures that enable the employer fiduciaries to identify and correct IRS and ERISA violations before an audit by IRS or DOL.
Another major concern that has been featured in the press is the failure to disclose retirement plan expenses to plan participants.
The DOL considers this issue to be the responsibility of the employer plan fiduciary and has recently announced an aggressive DOL Plan Expense Audit Initiative that imposes personal liability on corporate executives for failure to monitor the reasonableness of plan expenses.
For example, aggressive DOL enforcement of this ERISA fiduciary responsibility requirement resulted in a settlement of over $50 million for improper plan expenses and failure to prudently select and monitor plan service providers.
INCREASED GOVERNMENT AND PARTICIPANT LITIGATION
Problems with the ERISA fiduciary system have been around since its enactment in 1974. This is because ERISA's statutory provisions allow a corporate officer of a plan sponsor to also serve as a plan fiduciary and enforcement of the law depends on the monitoring of ERISA's self-dealing and other prohibited transaction provisions by the DOL and the courts.
Although the number of fiduciary breach cases brought by the DOL has remained relatively steady in recent years, the number of cases involving 401(k) plans has increased as the result of the recent economic downturn and the growing prevalence of employers becoming delinquent in required contributions and the proper administration of plans.
Also, plan participants are complaining more as the stock market slump has sent the value of plans plunging. As more high-profile accounting scandals come to light, from Enron to Global Crossing to Rite Aid, lawyers are expanding the focus of lawsuits to company directors, executives and other plan fiduciaries.
Even plan advisors have been particularly hard hit. For example, major actuarial firms have been so hurt by litigation that they have been unable to obtain adequate insurance and are asking plans to accept a liability cap of $250,000 and seeking indemnification from plan fiduciaries.
Also, public companies face the spectre of shareholder derivative lawsuits that could impose civil liability on corporate directors for failure to establish procedures for monitoring compliance that mitigate or eliminate corporate liability such as the IRS and DOL self-audit compliance programs that require corporations to identify and correct retirement plan violations in order to avoid the imposition of sanctions.
All companies (public and private) sponsoring retirement plans face the risk of DOL and participant lawsuits by class action plaintiff attorneys who have begun to specialise in ERISA lawsuits and effectively function as 'pension police'.
This could result in civil liability for ERISA breach of fiduciary duty for failure to monitor compliance with IRS and DOL requirements. Moreover, retirement plan fiduciaries face the risk of DOL litigation.
For example, a recent ERISA breach of fiduciary action against Enron held that its officers and directors, members of the plans' administrative committees, plans' trustees and outside auditors could be personally liable for allowing plan losses due to investments in Enron stock.
Another ERISA breach of fiduciary action resulted in the imposition of personal liability against a pension investment committee of a major plan sponsor for imprudently investing $211m of plan assets without giving participants adequate information about risks involved with the investment.
UK PENSION PLAN ENVIRONMENT
There has also been a growing interest in corporate governance in the UK For example, the combined code on corporate governance issued in July, 2003 states that:
"The board should maintain a sound system of internal control to safeguard shareholders' investment and the company's assets," and "The directors should, at least annually, conduct a review of the effectiveness of the group's system of internal control and should report to shareholders that they have done so. The review should cover all controls, including financial, operational and compliance controls and risk management."
The Turnbull Report (annexed to the code) sets out guidelines as to how these principles should be implemented by companies. It contains questions for directors to consider when implementing internal control, risk management and monitoring receipt of information.
Many questions are equally applicable in the context of pension scheme control and management and provide a good starting point for trustees looking to implement their own systems of good practice.
The Pensions Act of 2004 also focuses on the future governance and administration of pension schemes and includes provisions for a new pensions regulator to concentrate its efforts on schemes that possess a high risk of fraud, bad governance or poor administration.
In this regard, the act states that the pensions regulator may issue codes of practice "containing practical guidance in relation to the exercise of functions under the pensions legislation, and regarding the standards of conduct and practice expected from those who exercise such functions."
In connection with this provision, the pensions regulator issued a 'code of practice on internal controls' in September 2005. The code of practice is essential reading not only for UK pension trustees, sponsoring employers and plan administrators but also for anyone interested in pension scheme control and governance.
CODE OF PRACTICE CONTENTS
The following important points contained in the code of practice are illustrative examples of what needs to be done to monitor fiduciary governance and controls:
1. Article 14 (1) of the European Directive on the Activities and Supervision of Institutions for Occupational Retirement Provision places an obligation on trustees or managers of occupational pension schemes to have 'sound administrative and accounting procedures and adequate internal control mechanisms'. This obligation has been incorporated into UK law by regulations which insert a new section into the Pension Act 2004.
2. Trustees or managers of an occupational pension scheme must establish and operate internal controls which are adequate for the scheme to be administered and managed in accordance with the scheme rules and pensions legislation and any other relevant legislation.
3. Robust internal controls contribute to good scheme administration and ultimately help protect members and, by extension, the pension protection fund.
4. Governance is featuring higher on the agenda and not just for those involved in administering and managing pension schemes. Guidance on internal controls has been issued to directors of listed companies in the Turnbull Guidance (Internal control: Guidance for Directors on the Combined Code). This code adopts a similar risk assessment approach and the pensions regulator is promoting the concept of trustees or managers developing a risk management framework when assessing the existence or adequacy of key internal controls.
5. The extent to which trustees or managers review systems and controls should not focus solely on financial and administrative procedures. Those responsible for the stewardship of the scheme should also consider the wider impact of risk by developing a risk management framework. Internal controls are management tools used to manage risks, both internal and external, and will play an integral part in having a well-run scheme.
6. Linking internal control to risk management will allow schemes to focus on significant risk areas. We expect trustees or managers to set up adequate internal controls that enable them to react to significant funding, operational, financial, regulatory and compliance risk.
7. Not only will the establishment of adequate internal controls ensure the effective and efficient running of a scheme, they will also play a key role in reducing the likelihood of fraud. (This incorporates concepts contained in SOX and SAS 99 issued by the AICPA).
8.There is no explicit legislative requirement to report a lack of adequate internal controls. However, persistent failure to put in place adequate internal controls may, for example, be a contributory cause of an administrative breach or, in more extreme cases, result in the reduction or loss of scheme assets. Where in doubt over the effective stewardship of a scheme, the pensions regulator would expect to receive a whistle-blowing report.
9. It is intended that this code should primarily be read and acted upon by trustees, both individual and corporate, and managers of occupational pension schemes. The pensions regulator also recommends the code to a wider readership including:
- Scheme advisers - in particular scheme auditors because of their involvement in the assessment of key financial controls during the audit cycle
- Participating employers
- Service providers such as fund managers, custodians and administrators
- Others involved with the management and administration of occupational pension schemes
10. During, or at the completion stage, of an audit the auditors will normally produce a management letter for the trustees or managers of a scheme to consider. The purpose of this document is generally to highlight weaknesses in key controls identified during the audit. The document may also make recommendations on how controls can be improved and the pensions regulator would expect trustees or managers to respond accordingly. Where the wider implication of a failure to implement recommendations results in persistent administrative breaches, for example, the auditor may feel it appropriate to report this matter to the pensions regulator. This would clearly be the case where the breach was deemed materially significant.
11. A number of larger third-party administrators are commissioning independent reviews of their internal controls to assess whether they have operated in accordance with standard guidelines. The pensions regulator recommends that trustees or managers, who have outsourced their administration and accounting procedures, establish whether in fact the service organisations they use are undertaking these FRAG21/94 style reviews.
WHAT CAN BE DONE?
What is surprising is that sponsoring employers, trustees and administrators are not taking pension governance more seriously despite the UK pension legislation's focus on governance and the pension regulator's issuance of a code of practice on internal controls and the USA government's establishment of voluntary self-audit programs that enable employers to avoid stiff penalties imposed by the IRS and the DOL that in some cases equal up to 20% of plan assets.
Some employers and trustees have generally been reluctant to establish internal control procedures that identify and correct errors in operational compliance and have instead opted to play the 'audit lottery' hoping that they won't get caught by the IRS or the DOL.
This reluctance to self-audit the operational compliance of their retirement plans has begun to change with the enactment of SOX, which imposes far more draconian sanctions and imprisonment of employers, trustees and other fiduciaries for failure to establish and monitor internal control procedures that ascertain operational compliance.
Also, the new IRS 'focused audit' program requires employers and trustees to establish self-audit internal controls on plan operational compliance in order to limit and curtail an IRS audit. Failure to do so is foolhardy and can result in fraudulent financial reporting under SAS 99.
As a result of personal liability for breach of fiduciary duty for failure to administer plans in accordance with plan documents and applicable law, there is a compelling need for plans and trustees to purchase adequate insurance to cover defence and settlement costs relating to breach of fiduciary, corrections of administrative errors and CAP monetary sanctions imposed by IRS.
Unfortunately, there is often confusion and misunderstanding as to the insurance necessary to cover these areas of liability.
For example, it is not uncommon for employers and trustees to believe that their bonding insurance also covers fiduciary liability (which is never the case) or that their fiduciary liability policy covers not only breaches of fiduciary duty but also losses relating to errors in the administration of the plan which may not be the case without the purchase of a specific employee benefits liability or 'errors and omissions' insurance endorsement.
Moreover, there is limited coverage of fines or penalties such as IRS CAP monetary sanctions which is only covered in nominal amounts (not more than $100,000). It has not been until recently that an insurance program has been available offering 'IRS liability insurance' covering employers and trustees for expanded CAP monetary sanctions (up to $5m) that the IRS may impose as a result of a failure to operate the plan in accordance with the Code's qualification requirements, as well as coverage for benefits corrections required by IRS as the result of an audit of the plan.
Finally, there is no better protection than effective fiduciary management which requires best in class fiduciary governance internal control procedures. Moreover, employers, trustees and other responsible fiduciaries must recognise that they have individual accountability for decisions which affect the financial and operational conduct of the plan and scheme.
In this regard, it is important to seek the advice of independent counsel who can render a clear and unfettered analysis and examination of critical fiduciary governance and operational issues, the private and privileged correction of operational shortcomings and the installation of special protective insurance coverage to protect against large personal liabilities. Put another way, employers, trustees and their counsel need to self-police the pension system in order for it to survive.
